Oracle has released another major Critical Patch Update this quarter, with 113 security fixes for a wide variety of products including some vulnerabilities which could enable remote code execution.
The firm’s popular Java platform got updates addressing 20 security issues including one with the highest CVSS score of 10 affecting versions 6, 7 and 8. This could enable attackers to fully compromise victim PCs by leading users to malicious sites.
Another seven Java vulnerabilities had a score of 9.3, according to Qualys CTO Wolfgang Kandek.
“All of the critical vulnerabilities apply to client side installation of Java, i.e. Java on workstations that execute applets and Java Web start applications,” he wrote in a blog post. “Since Java has been on the radar for many cyber criminals and we have seen Java vulnerabilities included in common ExploitKits, you should address these problems as soon as possible.”
Elsewhere, MySQL had 10 vulnerabilities addressed in the update including a fix for a Heartbleed vulnerability in MySQL Enterprise server 5.6.
Kandek recommended admins patch these flaws quickly, especially if the MySQL databases in question are directly connected to the internet.
There were five new fixes for the flagship Oracle Database Server family, the most severe of which (CVE-2013-3751) was rated CVSS 9.
“It's somewhat shocking to see that the top two issues (CVE-2013-3751 & CVE-2013-3774) being fixed in Oracle Database 12 were fixed a year ago for Oracle Database 11,” argued Rapid7 securiy engineering senior manager, Ross Barrett.
“That means that Oracle quite likely knew that version 12 was vulnerable when they released it last June and have left their customers exposed for the past year.”
Other products covered in the mammoth patch update included seven vulnerabilities for virtualization software, VirtualBox; 29 in Oracle Fusion Middleware; seven updates for Oracle Hyperion; six for Siebel CRM; five for E-Business; five for PeopleSoft; and four for Solaris.
“The older patches in Oracle Fusion Middleware (linked to CVE-2013-1741 and others) seem to be a different beast,” explained Barrett.
“This is likely Oracle taking upstream fixes from an open source vendor (Mozilla in this case) and redistributing them to their paying, affected customers because they re-use the vulnerable component.”